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“Hey Researchers, there is a problem... 


A Response to “Hey Players, there is a problem...”: On Attribute Inference 
Attacks against Videogamers' by Linus Eisele and Giovanni Apruzzese at 
the University of Liechtenstein. 


Written by Magewinter in collaboration with the r/WoW mod team. 
Contact: worldofwarcraftsubreddit@gmail.com 


Dear reader, 

This letter is written in response to a report published on findings gathered in part from our online 
communhity space at r/WoW’. In this response, we intend to highlight issues with the way this information 
was gathered, as well as with the conclusions drawn within the paper. The outcome of this study has had 
a harmful impact on our community, and has eroded the trust between our gaming community and 
academics involved in user research. 


Context 


The writers of this letter are the moderation team of a subreddit forum for the game World of Warcraft, 
with over 2.6 million members in our community. We were approached on January 5th, 2024 by Linus 
Eisele and Giovanni Apruzzese so that they might post an academic survey on our subreddit. 


For a survey to be posted on our subreddit, we require: 


e Evidence that the survey is used for legitimate academic research, such as an academic email 
address provided, names of the researchers, and details of the academic institution they 
represent. 

e Confirmation that the research is confidential, and that no personally identifiable information is 
given by responders*. 

e Evidence that the survey is specific to players of World of Warcraft, and not gaming or MMORPG's 
in general 


*We make an exception for the option for responders to provide an email, either so that they can win a prize, 
or be contacted further about the study. This must be optional, and was not applicable in this case. 


In addition, we review the content of the survey to ensure that the questions meet our requirements and 
further confirm - as much as we reasonably can - the legitimacy of the survey. In this instance, the survey 
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met our criteria for approval, based on information available within the survey provided by the 
researchers, and the fact that a specific survey had been created for World of Warcraft players. 


On the 8th June, five months later, the researchers sent the moderation team a modmail, asking for the 
results of their study to be approved to post on the subreddit*. It is important to note that this permission 
was only requested after an initial attempt to post this research without our permission had failed - as our 
automoderator had flagged their post as potential spam. By this time, the researchers had already posted 
these findings on multiple subreddits, and would go on to post this publicly on 18 subreddits in total’. 


The report drew conclusions that we, the r/WoW moderation team, were leaving ourselves open to 
Attribute Inference Attacks, because we had allowed the academic researchers to post a survey to the 
subreddit. 


We were not made aware of the true nature of the research conducted within our community until the 
findings were posted. 


Lack of Informed Consent 


Firstly, the survey approval of a moderator was counted in the report®, without that moderator’s consent. 
At this point, the moderator who responded to the researchers became a nonconsensual participant in 
their study. 


This consent is not something that can be retroactively gained, as unfortunately, that moderator passed 
away suddenly in February®. 


Later, after the moderation team had responded to the publicised report, the researcher was made aware 
of the death of that moderator on Twitter’, yet still chose to publicly share the response of that moderator 
anyway’. We share this now as his response is already public, but consent was never gained by the 
researcher for the communication between this moderator and themselves to be made public or counted 
as a metric within the report. We believe this to be in conflict with the IEEE’s Code of Ethics section I.1 and 
II.9 in particular. 


7.8 IEEE Code of Ethics? 
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|. To uphold the highest standards of integrity, responsible behavior, and ethical conduct in professional 
activities. 


1. to hold paramount the safety, health, and welfare of the public, to strive to comply with ethical 
design and sustainable development practices, to protect the privacy of others, and to disclose 


promptly factors that might endanger the public or the environment; 


Il. To treat all persons fairly and with respect, to not engage in harassment or discrimination, and to avoid 
injuring others. 


9. to avoid injuring others, their property, reputation, or employment by false or malicious actions, 


rumors or any other verbal or physical abuses; 


The researcher claims that the moderation team were made aware of the true nature of the research 


paper, but this is not true. The researchers told the moderation team that the paper focused on in-game 


data privacy, rather than data shared in public forums and via academic surveys. Additionally, after the 
report was written, the moderators were not contacted directly to be made aware of any of the learning 


points discussed within the paper - the first contact received after the report was finished was the 
aforementioned attempt by the researchers to publish the findings on the subreddit publicly, as well as in 
17 other subreddits across the Reddit gaming community”’. 


Secondly, the participants were not informed of the true nature of the survey until after they had 
submitted their responses. The “truth” was revealed once participants had completed and sent their 
survey response, and were even asked not to share the true nature of this survey with others". As the 
moderator who approved this survey has since passed away, we cannot verify whether he submitted his 
responses and saw this page. It is standard practice however not to click ‘submit’ in order to preserve the 
integrity of the research, as he will likely have clicked through the survey to read the questions, rather than 


provide considered answers. Regardless, the true nature of an academic survey should not be withheld 
from the participants until after they have sent their response. 


Misrepresentation of the Study’s Findings 


The results of this particular study do not paint an accurate picture of the information gained in this 
research. Firstly, subreddits that did not allow the researchers to post their survey in their communities 
were not named in the study, only those who were labelled ‘Communities that Facilitate AIA’ in Table II of 
the report. These communities were labelled as such regardless of whether or not the moderation team 
had verified the academic legitimacy of the survey, such as had happened in the case of r/WoW. 


We believe it is a misrepresentation of the truth to conclude that community moderators who inspected 
and verified the legitimacy of the research study are just as much facilitators of AIA as those who allow 
any surveys to be posted with no prior approval, or inactive moderation teams that did not remove the 
survey posted without explicit permission. 


Additionally, the report fails to detail the process by which the authors obtained permission to collect user 
information. The authors describe that they responded “ethically” and counted the total number of 
messages sent, without so much as summarising the content of those messages. The authors fail to 
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account for how their own presentation - as legitimate researchers - impacted the verification process 
and ultimately the user data that was gathered. 


In the case of r/WoW, the survey itself contained an academic email and details of the academic 
institution that could be cross referenced against the names of the researchers to ensure their legitimacy, 
within our reasonable ability to do so. 


We find this omission of important impacting variables and subsequent misrepresentation of the findings 
to be in conflict with the IEEE code of ethics also: 


|. To uphold the highest standards of integrity, responsible behavior, and ethical conduct in professional 
activities. 


5. to seek, accept, and offer honest criticism of technical work, to acknowledge and correct 


errors, to be honest and realistic in stating claims or estimates based on available data, and to 


credit properly the contributions of others; 


Negative Consequences of This Paper 


The major consequence of this paper has been an erosion of the trust that previously existed between 
online spaces such as r/WoW, and those allowed into these spaces to conduct academic research. Here 
we provide some quotes from the comment section of our initial post made in response to the report'*"*: 


“Cultural anthropologists that focus on online subcultures are going to be furious with this. 
It's going to poison the well against legitimate research approaches. Why should anyone believe a person 
that says they're doing an academic study now?” 


“So we want you to help with an academic survey and the result is that you should not have let us do a 
survey? 

So the result is many subs are just going to not allow any even profession surveys going forward. | get what 
they are saying but it is just making things much more difficult for people who want to do actual surveys?” 


“You see. If | remember correctly | completed the survey under the assumption that it was being done in 
good faith. Seeing that it was being conducted in a confidential manner by a reputable institution | shared 
the information they asked for. When possible | try to participate in surveys like this because | know that the 
more data available the more accurate it will be. | agree that the way this was conducted and is being 
presented is unethical. | think that the fact that this "study" was conducted at all shows that the ones 
conducting it went in with an inherent bias against MMO players. Why choose this demographic to begin 
with if not to show us as gullible?” 


Even if the moderators unwittingly involved in this study were to continue to approve academic studies 
moving forward, it is undeniable that there will be a portion of the community which would now be 
unwilling to engage with any study as a direct result of this paper. 
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Additionally, the authors acknowledge (see below) that the public report now provides information to 
potential attackers on which subreddits and online community spaces are most vulnerable to Attribute 
Inference Attacks, potentially causing the issue that the research claims to try to solve. If the intention of 
the researchers was to better equip and inform community moderators on how they could better prevent 
AIA within their online spaces, then the findings of the report should have been first shared privately, so 
that the necessary preventative measures could have been put in place before the report was made 
public. 


“Ethical Statement: We acknowledge that the following information may be helpful for evildoers. However, 
we favor ethical disclosure, respecting the right to be informed of gamers [29, 30].” 


Found on page 3 of the report. 


Our Recommendations 


We have made clear that we do not believe that the way this study was conducted was the right way of 
informing communities of their susceptibility to AIA, nor was it the right way to conduct and conclude 
research gained within our community spaces. 


Instead, we recommend the following alternatives for if a future, similar study was to take place: 


e Astudy that asks users about past experiences where they have shared information, rather than 
asking them to share any information within that survey. For example, rather than a question 
asking them to link their character’s armory page, ask the users if they have ever linked their 
character’s armory page online before. 

e Questions asking users whether they would feel comfortable sharing certain types of information, 
rather than asking for that information. 

e Inthe case of a survey where the researchers intend to reveal the true nature of the study after 
the questions have been answered, this should be done so before users submit their responses, 
and with assurance that the responder can exit the questionnaire at that point if they do not want 
their responses shared in light of this new information. 

e Asurvey that asks moderators questions about the surveys/studies that they typically allow on 
the subreddit, with informed consent provided by those moderators for their responses to be 
used in the research paper. 

e A survey for moderators that asks their opinion on hypothetical scenarios, rather than 
orchestrating a real event where the moderators’ willingness to allow an actual academic survey 
to be posted is criticised. 


The researchers reached out to us via email after we had responded publicly to their report, and offered to 
make revisions to the paper to address some of our concerns. They have shared a version of the report 
with some changes made, which we have been asked not to share. However, as previously mentioned, the 
moderator who approved their survey in the first place has since passed away, and did not provide fully 
informed consent for either himself nor our subreddit to be used in this study, which in our opinion, is an 
irreparable flaw in the report. 


Action Plan 


In light of this report, we as a moderation team have identified ways in which we can introduce additional 
barriers for those committing AIA to do so in our community. We will not, however, share these steps 
publicly - for fear of unintentionally creating a guide for those who wish to abuse this system to find a 
work-around. 


With this being said, the research for this report was conducted under legitimate academic pretences - 
and we cannot, and should not have to, protect ourselves from genuine academic researchers who hide 
the true nature of their research until after the research has been submitted. We are now, however, more 
informed on bad academic practice to be wary of, as well as the IEEE code of ethics and rules around 
gaining informed consent. This action is taken as a result of this survey, but not as a result of the 
researchers’ findings. 


Conclusion 


This study by Linus Eisele and Giovanni Apruzzese targeted unpaid community moderators of online 
video game forums. These researchers sought to use the moderators’ nonconsensual participation in 
their research as a cautionary tale, by posting their findings publicly in the very community spaces they 
had used for their report. They also did not gain fully informed consent from the subreddit users who 
were kind enough to respond to their survey. 


It may be true that in light of these findings, we will make improvements to the way that we handle 
academic survey requests to our subreddit (that is, if we allow future surveys to be conducted at all) 
however gaining this outcome as a result of damaging the trust between academics and the gaming 
community is not something we want to see celebrated. We especially do not want to see this celebrated 
in an international academic conference on gaming. This is why we are calling for the IEEE CoG to 
reconsider their acceptance of this report to their conference in August. 


Signed, 


u/Magewinter (Lead moderator of r/WoW) 
And members of the moderation team: 
u/Oriolexy 

u/YourResidentFeral 
u/TheArbiterofOribos 

u/Jourlen 

u/Khadgars_Manager 


Glossary of terms: 


1. Armory: An online database for World of Warcraft that allows players to view character profiles, 
gear, achievements, and other in-game information related to the players’ characters. 

2. Automoderator: A type of software or program used in online forums or communities to 
automatically perform certain moderation tasks based on pre-set rules, such as removing spam 
or flagging specific keywords. 

3. MMORPG: Short for “Massively Multiplayer Online Role Playing Game;” an online role-playing 
video game in which a very large number of people participate simultaneously. 

4. Moderator: A Reddit user with elevated privileges who is responsible for enforcing rules and 
managing user interactions within their topic-specific forum. 

5. Modmail: Short for "moderator mail,” it is a communication system within Reddit that allows users 
to send messages directly to the moderators. These messages can be read by all moderators of 
that subreddit, but are not public. 

6. 1/WoW: Short for "reddit World of Warcraft,’ it refers to the specific subreddit dedicated to 
discussions, content, and news related to the popular MMORPG game World of Warcraft. 

7. Subreddit (Occasionally Shortened to ‘sub’): A subsection or community forum within the larger 
website Reddit, focused on a specific topic or theme. 


